The Common Vulnerabilities and Exposures (CVE) database is the de facto source of disclosed software vulnerabilites. CVE Monitor is a plugin for Web Host Manager (WHM) that scans and reports on website vulnerabilities published in the CVE database. It provides reports to help server administrators and hosting resellers get rid of website vulnerabilities, preventing websites from being hacked.
This project was born out of the pain we experienced at Anno Internet with an increading number of customer WordPress websites being compromised — outdated and vulnerable plugins and themes leave their websites open to attack. The problem is getting worse.
Background
At the heart of the issue lies in the mindset of website owners. Many may not fully grasp the significance of regularly updating their web applications to safeguard against potential compromises. Additionally, even those who recognize the importance of updates might encounter challenges in executing them effectively. Furthermore, old websites and unused plugins and themes are often left in place, falling by the wayside. Unfortunately, this creates an environment where malicious actors exploit vulnerabilities as the norm.
There is a gap…
As a server administrator, I have learned the hard way that we cannot rely on website owners to keep their web applications safe and up to date.
There are some great tools available to help in the fight against the bad guys, but none of them fully addresses this gap:
- cPanel Site Quality Monitor: The recently added cPanel plugin (a rebranded offering from Koality) lists CVE vulnerabilities and much more. The limitation of this approach is that it still is up to the website owner to take the initiative, and many simply won’t.
- Configserver Exploit Scanner (CXS): With a one-time $60 price tag, this is one the best investments you will ever make for your shared hosting server. CXS does a great job of intercepting and quarantining malicious files. It also reports on installed versions of popular web applications and their plugins and themes. It leaves everything up to the server administrator and does not call the website owner to action.
- cPGaurd and ImunifyAV: Subscription service that seems to offer similar functionality and more to CXS in a nice web interface. I have no experience with either, but it does seem that the website owners are left in their La La Land and not called to action.
CVE Monitor addresses the gap…
The CVE Monitor pro-actively managing vulnerabilities by involving the website owners:
- It identifies vulnerabilities in near real time.
- It provides reports to server administrators and resellers.
- It prompst website owners to address the vulnerabilites (under development).
- When website owners do not heed warnings and fail to take action (under development), it disables the vulnerable website.
Eating our own dogfood
We have been using the CVE Monitor with great success to secure our shared hosting servers at Anno Internet.
We are now inviting other WHM/cPanel server administrators to try it out. For now, access is free of charge. Depending on feedback and usage volume, we may offer CVE Monitor as a subscription service at a modest fee.
Credit where it’s due
A massive thanks to the folks at Wordfence for making their vulnerability data feed publicly available. Without this data feed, I would have had a much tougher time assembling a vulnerability database.